Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update Elysia
AI Analysis

Impact

The Elysia JavaScript framework contains a vulnerability in the t.String({ format: 'url' }) validator that leads to a Regular Expression Denial of Service. When an attacker repeats a partial URL pattern consisting of the protocol and hostname in a request, the underlying regex consumes excessive CPU resources, causing request processing to stall and the service to become unavailable. This flaw is classified as CWE‑1333, representing a time‑based denial of service attack.

Affected Systems

The vulnerability affects the Elysia framework (elysiajs:elysia) running on Node.js. All releases prior to version 1.4.26 are susceptible, as the issue is confined to the url format validation logic used for request validation, type inference, OpenAPI documentation, and client‑server communication.

Risk and Exploitability

The severity rating of 7.5 indicates high potential damage if exploited, while the probability of exploitation is estimated to be below one percent. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation is possible by sending crafted URLs to any exposed API endpoint that uses the vulnerable validator; it is inferred that such an attack would not require special privileges and would be a remote denial‑of‑service attack, but this is not explicitly stated in the CVE description.

Generated by OpenCVE AI on April 18, 2026 at 09:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • It is strongly recommended to update Elysia to version 1.4.26 or newer, where the vulnerable regex has been corrected.
  • Implement rate limiting on all API endpoints that employ t.String({ format: 'url' }) to reduce the impact of a potential ReDoS attack.
  • Validate incoming URLs against a stricter whitelist or length constraint before passing them to the validator, thereby limiting the size of malicious input.

Generated by OpenCVE AI on April 18, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f45g-68q3-5w8x Elysia has a string URL format ReDoS
History

Fri, 20 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elysiajs:elysia:*:*:*:*:*:node.js:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elysiajs
Elysiajs elysia
Vendors & Products Elysiajs
Elysiajs elysia

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.
Title Elysia has a string URL format redos
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Elysiajs Elysia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:33:53.271Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30837

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:47.070

Modified: 2026-03-20T15:23:08.813

Link: CVE-2026-30837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses